Physicians of small or solo medical practices tell me all the time that HIPAA (the Health Insurance Portability and Accountability Act) is a joke and that audits and fines will not happen to them. Tell that to Solo Practitioner, Dr. Steven Porter, a gastroenterologist from Ogden, Utah who runs and manages his own practice. The Federal Department of Health and Human Services (HHS) today issued a press release stating that Dr. Porter had “failed to implement policies and procedures to prevent, detect, contain, and correct security violations. Specifically, the Practice failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities… [and] failed to implement… measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.” Dr. Porter relied on his EHR company to do these things, as the corrective action plan states, “Dr. Porter’s EHR company [was permitted] to create, receive, maintain, or transmit ePHI (electronic protected health information) on the Practice’s behalf at least since 2013 without [the Practice] obtaining satisfactory assurance that the EHR company will appropriately safeguard the ePHI.” Dr. Porter was fined $100,000 and required to adhere to a two (2) year corrective action plan. I bet Dr. Porter thought this would never happen to him.
HHS has been going after ALL practices, large and small, lately in an effort to enforce HIPAA requirements. The Office of Civil Rights Director, Roger Severino, stated, “All health care providers, large and small, need to take their HIPAA obligations seriously. The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.” I personally would go a step further and say that medical practices, large and small, should not only implement basic HIPAA requirements, but should have someone knowledgeable in HIPAA’s requirements, able to understand and advise on the law, and a track record of keeping medical practices out of HIPAA’s dog house with fines and violations.
Physicians at large, small, or solo practices can no longer think that HIPAA is a joke, or that fines, audits, violations and penalties won’t happen to them, because they are happening to them. HHS will continue to enforce HIPAA at a breakneck speed and ALL physicians, regardless of size of practice, are at risk if they are not prepared. Don’t be one of the physicians left paying a fine because you didn’t think it would happen to you, be the one that was prepared and was able to keep it from happening.